Store MFA (TOTP) secret in aws-vault

[StevenACoffman]

I am happily using both aws-vault (which stores my AWS credentials in my mac keychain) and keyfob to store my AWS MFA TOTP secret in my mac keychain, and generate my MFA as needed.

I wrote keyfob in golang, and aws-vault is in golang, so I was curious if you would be open to a pull request adding 2fa support to aws-vault?

This seems equivalent in security to the yubikey PR, but cheaper and possibly more convenient.

[mtibben]

Go for it @StevenACoffman

[mtibben]

Although now reading about keyfob, I'm not sure that's a good idea. The whole point of a second factor is "something you have". Switching that to the keychain eliminates the second factor

[StevenACoffman]

• 2 factor = AWS secret access key (thing you know) + yubikey (thing you own)
• 2 factor = AWS secret access key (thing you know) + mac laptop containing keychain MFA secret (thing you own)

Seems pretty equivalent, especially because most people don’t bother to remove the slim profile yubikeys from their laptop usb ports.

I could pretty easily have the keyfob TOTP generation process require Mac Touch ID to unlock and that would actually add some real security (biometric) to the process. Would you then be interested in me incorporating that into aws-vault?

[mtibben]

Except that the "AWS secret access key (thing you know)" is stored in the Keychain. If the "thing you know" and "thing you have" are accessed with the same mechanism, this doesn't really meet the 2fa definition

[FernandoMiguel]

I already run authy on my mac (and phone), so that always feels like 1.5 MFA
But if it can be enforced to use touch id, I would feel more secure

[StevenACoffman]

@mtibben Completely fair to have your own comfort level with security. Everyone has different requirements for stringency.

Just to clarify, are you saying I should not bother with adding a touch ID requirement to TOTP generation and then making that a contribution to aws-vault as it would not be accepted? As I said, that would be completely fair of you, even if it seems like that would be an improvement over authy and yubikey to me.

[mtibben]

Yes after thinking about it further I do think TOTP generation is out of scope for aws-vault, but would be interested in @lox thoughts also.. Also note there was some work on TouchID support in #131

[lox]

My thing with AWS vault is that I just always want to be prompted when key material is accessed. Currently for me that is an MFA token. I'd be happy for it to be TouchID that did the prompting.

I'd probably be less keen on 2fa support unless it also came with TouchID (and even better with secure enclave support).

[fred]

As user, I would feel to be an improvement to use my yubikey instead of typing the keychain password each time. This may not be considered ideal as 2FA but I think it's an improvement for frequent or power users.

To make things simple, I view it as ssh keys. The private key is encrypted with my passphrase, which might not be as secure as a Yubikey. So I started using Yubikey for SSH, much faster and easy on a daily basis. PS. I also use aws-vault at least 10-20 times a day 😉

Also, another thought: since pass backend is already supported, and pass uses GPG, then probably pass should work with Yubikey. Since basically Yubikey abstracts GPG.
I will have a look into that if it makes my flow faster.

[fred]

Using Pass backend with the GPG key from the yubikey works flawlessly !

I initialized pass with my Yubikey GPG key, so I just run aws-vault exec and touch yubikey. Really happy with this setup.

Optionally its also possible to add a secondary GPG key as well as a backup, in case you dont have the yubikey or lost it.

[fred]

For those looking to use Yubikey/Pass setup with touch, these are the steps I did on Mac.
Should be similar for Linux

1. Remove existing credential

Run only if you already have it setup before:

aws-vault remove fred

2. set in your bash/fish/zsh env

AWS_VAULT_BACKEND="pass"

3. Get a new access key from AWS console.

Or extract it from keychain, I recommend to rotate it 😛 as a habit.

4. Setup pass

brew install pass
pass init "your-gpg-id"

You can get the GPG id from your yubikey with this command:

gpg --card-status

your ID is the one after sec>. example: 16DFB8F9BCXXXXXX

sec> rsa4096/16DFB8F9BCXXXXXX

then you do pass init 16DFB8F9BCXXXXXX in my case

5. Setup AWS-Vault

aws-vault add fred

it should use pass backend by default.

or test with

aws-vault add fred --pass

Now you just touch the yubikey when you call aws-vault if you have touch required.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.